ikev1: Do a rekey check before installing CHILD_SAs as responder
authorTobias Brunner <tobias@strongswan.org>
Thu, 16 May 2019 08:19:15 +0000 (10:19 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 22 May 2019 16:28:31 +0000 (18:28 +0200)
If CHILD_SAs are created while waiting for the third QM message we'd not
notice the redundancy and updown events would be triggered unevenly.
This is consistent with the behavior on the initiator, which already does
this check right before installation. Moving the existing check is not
possible due to the narrow hook and moving the installation changes which
peer installs the SAs first and could have other side-effects (e.g. in
error or conflict cases).  Still, this might result in CHILD_SA state
discrepancies between the two peers.

Fixes #3060.

src/libcharon/sa/ikev1/tasks/quick_mode.c

index 3309a5d..128f027 100644 (file)
@@ -1218,6 +1218,21 @@ METHOD(task_t, process_r, status_t,
                                }
                                return SUCCESS;
                        }
+                       if (!this->rekey)
+                       {
+                               /* do another check in case SAs were created since we handled
+                                * the QM request, this is consistent with the rekey check
+                                * before installation on the initiator */
+                               check_for_rekeyed_child(this, TRUE);
+                               if (this->rekey)
+                               {
+                                       this->child_sa->destroy(this->child_sa);
+                                       this->child_sa = child_sa_create(
+                                                                       this->ike_sa->get_my_host(this->ike_sa),
+                                                                       this->ike_sa->get_other_host(this->ike_sa),
+                                                                       this->config, &this->child);
+                               }
+                       }
                        if (!install(this))
                        {
                                ike_sa_t *ike_sa = this->ike_sa;